Top 12 Nmap Commands to Scan Remote Hosts with Best Practices

Table of Contents

Nmap Commands

Prerequisites

You only need to have nmap tool in your system. If you don't have this tool, It can be installed using below steps.

For RedHat/CentOS

yum install nmap

For Ubuntu

sudo apt-get install nmap

Top 12 Nmap Commands to Scan Remote Hosts with Best Practices 1

1. To Scan remote host 10.220.12.8

To scan remote host 10.220.12.8 we will use nmap 10.220.12.8 command.

[root@localhost ~]# nmap 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:04 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.051s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 5.46 seconds

2. To Scan Port 80 of remote host 10.220.12.8

You can also scan port with nmap using below command.

[root@localhost ~]# nmap -p 80 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:30 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.043s latency).
PORT STATE SERVICE
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

3. To Scan range of ports

This command will scan all the ports from 1 to 65535. This will take some time to display the output.

[root@localhost ~]# nmap -p 1-65535 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:34 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.046s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https
853/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 121.70 seconds

4. To Scan entire CIDR IP Ranges

If you want to scan entire CIDR Ranges, that also you can do by providing the subnet range.

[root@localhost ~]# nmap 10.220.12.0/28

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:36 EST
Nmap done: 4 IP addresses (0 hosts up) scanned in 5.09 seconds

5. To Scan OS of remote host 10.220.12.8

If you want to find the OS of remote host, you can use -A switch along with -T4 switch for faster scan.

[root@localhost ~]# nmap -A -T4 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:39 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.046s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
443/tcp open https?
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Google Public DNS
| ssl-cert: Subject: commonName=dns.google/organizationName=Google LLC/stateOrProvinceName=California/countryName=US
| Not valid before: 2019-11-05T07:47:00+00:00
|_Not valid after: 2020-01-28T07:47:00+00:00
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port443-TCP:V=6.40%I=7%D=12/6%Time=5DEA2FEE%P=x86_64-redhat-linux-gnu%r
SF:(HTTPOptions,7,"\x15\x03\x01\0\x02\x02F")%r(SSLSessionReq,7,"\x15\x03\x
SF:01\0\x02\x02F")%r(SSLv23SessionReq,7,"\x15\x03\x01\0\x02\x02F")%r(X11Pr
SF:obe,7,"\x15\x03\x01\0\x02\x02F")%r(RTSPRequest,7,"\x15\x03\x01\0\x02\x0
SF:2F")%r(DNSVersionBindReq,7,"\x15\x03\x01\0\x02\x02F")%r(DNSStatusReques
SF:t,7,"\x15\x03\x01\0\x02\x02F")%r(Help,7,"\x15\x03\x01\0\x02\x02F")%r(SM
SF:BProgNeg,7,"\x15\x03\x01\0\x02\x02F")%r(LDAPBindReq,7,"\x15\x03\x01\0\x
SF:02\x02F")%r(SIPOptions,7,"\x15\x03\x01\0\x02\x02F")%r(NCP,7,"\x15\x03\x
SF:01\0\x02\x02F")%r(WMSRequest,7,"\x15\x03\x01\0\x02\x02F")%r(oracle-tns,
SF:7,"\x15\x03\x01\0\x02\x02F")%r(kumo-server,7,"\x15\x03\x01\0\x02\x02F");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): OpenBSD 4.X (89%)
OS CPE: cpe:/o:openbsd:openbsd:4.0
Aggressive OS guesses: OpenBSD 4.0 (89%), OpenBSD 4.3 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 4.26 ms 192.168.0.1
2 13.36 ms 10.239.0.1
3 10.52 ms broadband.example.in (102.53.20.17)
4 10.51 ms broadband.example.in (102.53.20.18)
5 ... 6
7 48.74 ms 67.125.242.145
8 48.75 ms 114.239.47.143
9 48.80 ms dns.example (10.220.12.8)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.10 seconds

6. To Scan for UDP and TCP Ports

If you want to scan udp and tcp port, you need to use -sU for UDP and -sT for TCP.

Scan for UDP Protocol

[root@localhost ~]# nmap -sU 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:48 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.044s latency).
Not shown: 998 open|filtered ports
PORT STATE SERVICE
53/udp open domain
33459/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

Scan for TCP Protocol

[root@localhost ~]# nmap -sT 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:48 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.045s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 5.30 seconds

7. To Scan multiple Hosts

If you want to scan multiple hosts in a network excluding one ip then you can use --exclude switch with nmap commands.

[root@localhost ~]# nmap 10.220.110.* --exclude 10.220.110.4

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:02 EST
Nmap done: 255 IP addresses (0 hosts up) scanned in 205.36 seconds

8. To check if any Firewall is Enabled

You can also check if the remote host is filtering all the packets or not.

[root@localhost ~]# nmap -sA 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:04 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.052s latency).
All 1000 scanned ports on dns.example (10.220.12.8) are filtered

Nmap done: 1 IP address (1 host up) scanned in 53.14 seconds

9. To perform a Stealthy Scan

If you want perform a scan stealthly you need to use -sS switch with nmap commands.

[root@localhost ~]# nmap -sS 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:08 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.043s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds

10. To Launch Brute Force Attacks

WordPress brute force attack:

nmap -sV --script http-wordpress-brute --script-args 'userdb=username.txt,password=passwds.txt,http-wordpress-brute.hostname=example.com, http-wordpress-brute.threads=3,brute.firstonly=true' 10.220.12.8

Brute force attack against MS-SQL:

nmap -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=password.txt 10.220.12.8

FTP brute force attack:

nmap --script ftp-brute -p 21 10.220.12.8

11. To find Vulnerability in the Remote Host

Here you can launch the vlun script for remote host 10.220.12.8 to find the vulnerability. It is one of the many unique features of nmap commands.

[root@localhost ~]# nmap -Pn --script vuln 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 05:59 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.046s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
443/tcp open https
| http-enum:
| /flexfm/: Flex File Manager
| /forum_answer.php?que_id=1: Guru JustAnswer
| /pix/middlefile.gif: Middle files
|_ /root/admin/file.aspx: file.NET (CMS)
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-huawei-hg5xx-vuln: false
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug )
|_http-phpmyadmin-dir-traversal: ERROR: Script execution failed (use -d to debug )
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2010-0738: false

Nmap done: 1 IP address (1 host up) scanned in 822.62 seconds

12. To detect malware infection on remote hosts

Another important feature with nmap commands is that you can check malware infection on remote hosts by launching below script.

[root@localhost ~]# nmap -sV --script=http-malware-host 10.220.12.8

Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-06 06:22 EST
Nmap scan report for dns.example (10.220.12.8)
Host is up (0.000013s latency).
Other addresses for localhost (not scanned): 10.220.12.8
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
25/tcp open smtp Postfix smtpd
Service Info: Host: localhost.localdomain

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

Cyberithub